Title: Mitigating Distributed Denial of Service Attacks Using a ProportionalIntegralDerivative Controller
1Mitigating Distributed Denial of Service Attacks
Using a Proportional-Integral-Derivative
Controller
- Marcus Tylutki
- lttylutki_at_cs.ucdavis.edugt
2Outline
- Response to DDoS (Overview)
- Control Theory Background
- PID Control Law
- DDoS response model utilizing PID Control
- Experimental Results
- Comparison to existing DDoS response models
3Response to DDoS
- DDoS Examples
- Stacheldraht
- Trinoo
- Tribal Flood Network
- Current response utilizes 2 main methods
- IP Traceback
- Bandwidth pushback
4Classic Control Theory
(Unknown and Known) Disturbances
System
Observed Value, vo
System Changes, sc
Controller
Desired Value, vd
5PID Control Law
- The control signal has 3 components
- Proportional Mode
- c(t) KC e(t) cb
- Integral Mode Compensates error buildup over
time - c(t) (KC/?I) ? e(t) dt cb
- Derivative Mode Attempts to match rate change
- c(t) KC ?D d/dt ( e(t) ) cb
6Using PID Control Law to mitigate DDoS effects
7Using PID Control Law to mitigate DDoS effects
8Necessary Assumptions
- A sensor exists which can determine whether a
packet is part of a DDoS attack or legitimate.
(probabilistic) - Webscreen WS100 claims to do this for web
servers. - The flow of packets through any border router
headed towards the protected network can be
detected. (iTrace) - A technique exists for dropping packets heading
towards the protected network at the border
router. (Traffic shaping) - The border router that forwarded a particular
DDoS attack packet can be identified. (CEF)
9Goals of the Approach
- Bound the total amount of traffic passing through
to the protected network - Maximize the percentage of legitimate packets in
the flow reaching the protected network - Minimize the overall impact of overhead produced
by this method
10Calculation of PID Control Variables
- Percent legitimate traffic
- x(t) 1 (Attack Flow/Total Flow)
- Error used for future predictions
- e(t) zideal(t-1) z(t-1)
- e(t) ( 1 (Limit / Flow(t-1) ) z(t-1)
- Predicted block percentage
- z(t) c(t) z(t-1)
11Calculation of c(t)
- Proportional Control (P)
- c(t) KCe(t)
- Proportional Derivative Control (PD)
- c(t) KCe(t) ?D d/dt( e(t) )
- d/dt( e(t) ) ? ( e(t-1) e(t-2) ) / ?t
- Proportional Integral Derivative Control (PID)
- c(t) KCe(t) ?D d/dt( e(t) ) (1/ ?I) ? e(t)
dt - ? e(t) dt ? ?t ? e(i) i 1, t
12PID Simulation Results
13PID Sim. Results (Contd)
14PID Sim. Results (Contd)
15PID Sim. Results (Contd)
16PID Sim. Results (Contd)
17Experiment Setup
comm. server
comm. client
comm. client
attacker
attacker
firewall server
firewall server
PID controller
xeno
baruntse
izzy
18Assumptions of the Experiment
- Uniform packet weights
- Equal impact on protected services
- One DDoS target
- Firewall servers in place
- Limited types of spoofed packets
- Can not spoof across foreign networks
- All DDoS traffic is over TCP/IP
19Assumptions of the Experiment (contd)
- PID control parameters are static
- Attack packets are easily distinguished.
- All packets are examined
- 100 accuracy
- All connections are authenticated using SSL
- Attacks do not originate from inside the
protected network - Attacks do not bypass the TCP stack
20Experiment Configurations
- Border router firewall
- dummynet
- ipfw
- ipfw pipe 1 config plr .50
- Comm. Client, Attacker
- Uses a Poisson probability distribution to
calculate delay - Transmissions are single characters (SCTs)
- A for attack packet
- B for legitimate packet
- izzy had a majority of attack traffic with some
legitimate traffic - baruntse had a majority of legitimate traffic
with some attack traffic
21PID Control within the Experiment
- ?t 20 seconds
- z(t) does not translate from packets to
transmissions - z(t) .60 dropped 95 of connections
- z(t) .05 dropped 39 of connections
- z(t) .01 dropped 8 of connections
- Maximum block z(t) set to 99
22Results of the Experiment
P, PI, and PD Control
Limit
400
Baseline
350
300
Pushback
250
Kc 1.2
200
Traffic (SCTs / second)
150
Kc 1.3,
100
Td .2
50
Kc 1.5,
0
Ti 10
0
41
86
127
167
207
247
296
339
380
423
Time (sec)
Results of Proportional, Proportional Integral,
and Proportional Derivative Control
23Results of the Experiment (contd)
24Benefits of each PID control mode
- Proportional
- Traffic is truly random, yet stabilizes around an
average - Proportional-Integral
- As above, yet includes undetermined errors that
can be compensated - Proportional-Derivative
- Traffic contains some non-linear patterns that
shift from time to time - Proportional-Integral-Derivative
- Traffic that contains patterns and undetermined
errors
25Future Work
- Chaotic maps
- Multidimensional PID control
- Packet weights
- Support for non-border routers
- Commercial PID Controllers
- Faster, more accurate PID parameter tuning